Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
a5c7cfba
Commit
a5c7cfba
authored
Oct 30, 2014
by
Mark Andrews
Browse files
3990. [testing] Add tests for unknown DNSSEC algorithm handling.
[RT #37541]
parent
eb524336
Changes
9
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
a5c7cfba
3990. [testing] Add tests for unknown DNSSEC algorithm handling.
[RT #37541]
3989. [cleanup] Remove redundent dns_db_resigned calls. [RT #35748]
3988. [func] Allow the zone serial of a dynamically updatable
...
...
bin/tests/system/dnssec/clean.sh
View file @
a5c7cfba
...
...
@@ -77,3 +77,7 @@ rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
rm
-f
Kexample.
*
rm
-f
keygen.err
rm
-f
ns3/future.example.db ns3/trusted-future.key
rm
-f
ns3/dnskey-nsec3-unknown.example.db
rm
-f
ns3/dnskey-nsec3-unknown.example.db.tmp
rm
-f
ns3/dnskey-unknown.example.db
rm
-f
ns3/dnskey-unknown.example.db.tmp
bin/tests/system/dnssec/ns2/example.db.in
View file @
a5c7cfba
...
...
@@ -102,6 +102,12 @@ ns.nsec3-unknown A 10.53.0.3
optout-unknown NS ns.optout-unknown
ns.optout-unknown A 10.53.0.3
dnskey-unknown NS ns.dnskey-unknown
ns.dnskey-unknown A 10.53.0.3
dnskey-nsec3-unknown NS ns.dnskey-nsec3-unknown
ns.dnskey-nsec3-unknown A 10.53.0.3
multiple NS ns.multiple
ns.multiple A 10.53.0.3
...
...
bin/tests/system/dnssec/ns2/sign.sh
View file @
a5c7cfba
...
...
@@ -29,7 +29,8 @@ zonefile=example.db
for
subdomain
in
secure badds bogus dynamic keyless nsec3 optout
\
nsec3-unknown optout-unknown multiple rsasha256 rsasha512
\
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname
\
ttlpatch split-dnssec split-smart expired expiring upper lower
ttlpatch split-dnssec split-smart expired expiring upper lower
\
dnskey-unknown dnskey-nsec3-unknown
do
cp
../ns3/dsset-
$subdomain
.example.
.
done
...
...
bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in
0 → 100644
View file @
a5c7cfba
; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.e A 10.0.0.6
child NS ns2.example.
bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in
0 → 100644
View file @
a5c7cfba
; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.e A 10.0.0.6
child NS ns2.example.
bin/tests/system/dnssec/ns3/named.conf
View file @
a5c7cfba
...
...
@@ -155,6 +155,17 @@ zone "optout-unknown.example" {
file
"optout-unknown.example.db.signed"
;
};
zone
"dnskey-unknown.example"
{
type
master
;
file
"dnskey-unknown.example.db.signed"
;
};
zone
"dnskey-nsec3-unknown.example"
{
type
master
;
nsec3
-
test
-
zone
yes
;
file
"dnskey-nsec3-unknown.example.db.signed"
;
};
zone
"multiple.example"
{
type
master
;
file
"multiple.example.db.signed"
;
...
...
bin/tests/system/dnssec/ns3/sign.sh
View file @
a5c7cfba
...
...
@@ -175,7 +175,7 @@ cat $infile $keyname.key >$zonefile
$SIGNER
-P
-g
-3
-
-A
-r
$RANDFILE
-o
$zone
$zonefile
>
/dev/null 2>&1
#
# A nsec3 zone (non-optout) with unknown hash algorithm.
# A nsec3 zone (non-optout) with unknown
nsec3
hash algorithm
(-U)
.
#
zone
=
nsec3-unknown.example.
infile
=
nsec3-unknown.example.db.in
...
...
@@ -188,7 +188,7 @@ cat $infile $keyname.key >$zonefile
$SIGNER
-P
-3
-
-U
-r
$RANDFILE
-o
$zone
$zonefile
>
/dev/null 2>&1
#
# A optout nsec3 zone.
# A optout nsec3 zone
with a unknown nsec3 hash algorithm (-U)
.
#
zone
=
optout-unknown.example.
infile
=
optout-unknown.example.db.in
...
...
@@ -200,6 +200,42 @@ cat $infile $keyname.key >$zonefile
$SIGNER
-P
-3
-
-U
-A
-r
$RANDFILE
-o
$zone
$zonefile
>
/dev/null 2>&1
#
# A zone with a unknown DNSKEY algorithm.
# Algorithm 7 is replaced by 100 in the zone and dsset.
#
zone
=
dnskey-unknown.example.
infile
=
dnskey-unknown.example.db.in
zonefile
=
dnskey-unknown.example.db
keyname
=
`
$KEYGEN
-q
-r
$RANDFILE
-a
NSEC3RSASHA1
-b
768
-n
zone
$zone
`
cat
$infile
$keyname
.key
>
$zonefile
$SIGNER
-P
-3
-
-r
$RANDFILE
-o
$zone
-O
full
-f
${
zonefile
}
.tmp
$zonefile
>
/dev/null 2>&1
awk
'$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }'
${
zonefile
}
.tmp
>
${
zonefile
}
.signed
$DSFROMKEY
-A
-f
${
zonefile
}
.signed
$zone
>
dsset-
${
zone
}
#
# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
# Algorithm 7 is replaced by 100 in the zone and dsset.
#
zone
=
dnskey-nsec3-unknown.example.
infile
=
dnskey-nsec3-unknown.example.db.in
zonefile
=
dnskey-nsec3-unknown.example.db
keyname
=
`
$KEYGEN
-q
-r
$RANDFILE
-a
NSEC3RSASHA1
-b
768
-n
zone
$zone
`
cat
$infile
$keyname
.key
>
$zonefile
$SIGNER
-P
-3
-
-r
$RANDFILE
-o
$zone
-U
-O
full
-f
${
zonefile
}
.tmp
$zonefile
>
/dev/null 2>&1
awk
'$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }'
${
zonefile
}
.tmp
>
${
zonefile
}
.signed
$DSFROMKEY
-A
-f
${
zonefile
}
.signed
$zone
>
dsset-
${
zone
}
#
# A multiple parameter nsec3 zone.
#
...
...
bin/tests/system/dnssec/tests.sh
View file @
a5c7cfba
...
...
@@ -2711,5 +2711,71 @@ else
n
=
`
expr
$n
+ 1
`
fi
echo
"I:checking that positive unknown NSEC3 hash algorithm does validate (
$n
)"
ret
=
0
$DIG
$DIGOPTS
+noauth +noadd +nodnssec +adflag
-p
5300 @10.53.0.3 nsec3-unknown.example SOA
>
dig.out.ns3.test
$n
$DIG
$DIGOPTS
+noauth +noadd +nodnssec +adflag
-p
5300 @10.53.0.4 nsec3-unknown.example SOA
>
dig.out.ns4.test
$n
grep
"status: NOERROR,"
dig.out.ns3.test
$n
>
/dev/null
||
ret
=
1
grep
"status: NOERROR,"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
grep
"flags:.*ad.*QUERY"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
grep
"ANSWER: 1,"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
n
=
`
expr
$n
+ 1
`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate (
$n
)"
ret
=
0
$DIG
$DIGOPTS
+noauth +noadd +nodnssec +adflag
-p
5300 @10.53.0.3 optout-unknown.example SOA
>
dig.out.ns3.test
$n
$DIG
$DIGOPTS
+noauth +noadd +nodnssec +adflag
-p
5300 @10.53.0.4 optout-unknown.example SOA
>
dig.out.ns4.test
$n
grep
"status: NOERROR,"
dig.out.ns3.test
$n
>
/dev/null
||
ret
=
1
grep
"status: NOERROR,"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
grep
"flags:.*ad.*QUERY"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
grep
"ANSWER: 1,"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
n
=
`
expr
$n
+ 1
`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:checking that negative unknown NSEC3 hash algorithm does not validate (
$n
)"
ret
=
0
$DIG
$DIGOPTS
+noauth +noadd +nodnssec +adflag
-p
5300 @10.53.0.3 nsec3-unknown.example A
>
dig.out.ns3.test
$n
$DIG
$DIGOPTS
+noauth +noadd +nodnssec +adflag
-p
5300 @10.53.0.4 nsec3-unknown.example A
>
dig.out.ns4.test
$n
grep
"status: NOERROR,"
dig.out.ns3.test
$n
>
/dev/null
||
ret
=
1
grep
"status: SERVFAIL,"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
n
=
`
expr
$n
+ 1
`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate (
$n
)"
ret
=
0
$DIG
$DIGOPTS
+noauth +noadd +nodnssec +adflag
-p
5300 @10.53.0.3 optout-unknown.example A
>
dig.out.ns3.test
$n
$DIG
$DIGOPTS
+noauth +noadd +nodnssec +adflag
-p
5300 @10.53.0.4 optout-unknown.example A
>
dig.out.ns4.test
$n
grep
"status: NOERROR,"
dig.out.ns3.test
$n
>
/dev/null
||
ret
=
1
grep
"status: SERVFAIL,"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
n
=
`
expr
$n
+ 1
`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:checking that unknown DNSKEY algorithm validates as insecure (
$n
)"
ret
=
0
$DIG
$DIGOPTS
+noauth +noadd +nodnssec +adflag
-p
5300 @10.53.0.3 dnskey-unknown.example A
>
dig.out.ns3.test
$n
$DIG
$DIGOPTS
+noauth +noadd +nodnssec +adflag
-p
5300 @10.53.0.4 dnskey-unknown.example A
>
dig.out.ns4.test
$n
grep
"status: NOERROR,"
dig.out.ns3.test
$n
>
/dev/null
||
ret
=
1
grep
"status: NOERROR,"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
grep
"flags:.*ad.*QUERY"
dig.out.ns4.test
$n
>
/dev/null
&&
ret
=
1
n
=
`
expr
$n
+ 1
`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure (
$n
)"
ret
=
0
$DIG
$DIGOPTS
+noauth +noadd +nodnssec +adflag
-p
5300 @10.53.0.3 dnskey-nsec3-unknown.example A
>
dig.out.ns3.test
$n
$DIG
$DIGOPTS
+noauth +noadd +nodnssec +adflag
-p
5300 @10.53.0.4 dnskey-nsec3-unknown.example A
>
dig.out.ns4.test
$n
grep
"status: NOERROR,"
dig.out.ns3.test
$n
>
/dev/null
||
ret
=
1
grep
"status: NOERROR,"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
grep
"flags:.*ad.*QUERY"
dig.out.ns4.test
$n
>
/dev/null
&&
ret
=
1
n
=
`
expr
$n
+ 1
`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:exit status:
$status
"
exit
$status
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment